GMail Contact List Exploit :(

Posted on February 18, 2006 in Inspiration(last updated on April 29, 2014)

Someone I had chatted with via email a few months ago apparently got some spam about “online bingo”, clicked on the “unsubscribe” link, and it then exposed their entire gmail address contact list.

According to this post, through some Javascript trickery the entire contact list can be harvested by a spammer if you click on a special link.

I’m not sure if this has yet been patched or if this even was the method of attack (it’s apparently pretty old, and Google has a reputation of fixing stuff quickly)…but in general don’t be clicking any strange links on strange emails. Please.

4 Comments

It’s more insideous than that: if the user is browsing with the same browser that’s logged into GMail, and they go to a site with the malcode on it, their account can be attacked. They don’t have to follow a link from GMail, as far as I can tell.